In accordance with the data privacy rules, the company that stipulates the purpose for which, and the resources with which the data are processed is responsible for processing personal data. Several companies can be jointly responsible for processing.
None of these lists are exhaustive.
If you have any questions or concerns about data privacy, in the first instance you can contact the Coop Cooperative:
Tel. 0848 888 444
We also have an EU Representative for the EU region. The EU Representative's contact details are as follows:
VGS Datenschutzpartner UG
Am Kaiserkai 69
You can request information about the personal data we process about you at any time. Please send your request for information, together with proof of your identity, to the company responsible (see Clause 3).
We can restrict or refuse the information if this information is contrary to our legal obligations, our own legitimate interests, public interests or the interests of a third party. The same applies if the request for information is an abuse of the law. If the effort involved is disproportionate, we can require a contribution towards the costs. In this case, we will inform you in advance.
The processing of your request is subject to the statutory 30-day processing period. However, we may extend this period if we are dealing with a large volume of enquiries, for legal or technical reasons, or because we require more detailed information from you. You will be given notice of any extension to the period, in text form as a minimum.
You have the option to request the erasure or rectification of your personal data at any time. We kindly ask to send your request for deletion, with a proof of identity, to the responsible company (see Clause 3).
We can refuse the request if statutory provisions require us to retain the data unchanged or for an extended period, or if we have a permission on grounds that override your request.
Please note that the exercise of your rights may conflict with contractual agreements and may impact on contract performance (e.g. early contract termination or cost implications).
If you are affected by the processing of personal data you have the option to enforce your rights through a court or to submit a report to the relevant supervisory authority. The relevant supervisory authority in Switzerland is the Swiss Federal Data Protection and Information Commissioner: http://www.edoeb.admin.ch.
The term personal data denotes any information relating to an identified or identifiable natural person, such as name, address, date of birth, e-mail address or telephone number. Data about personal preferences, such as leisure activities or membership, are also personal data.
Special category personal data are data on religious, ideological, political or trade union-related views or activities; data on health and any information on administrative or criminal proceedings and sanctions, as well as data on social security measures. Where necessary and appropriate, we can request and process special category personal data. In this case, such data are processed in the strictest confidence.
Processing is any handling of personal data, regardless of the resources and procedures used, in particular the sourcing, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data.
Disclosure is the transfer of, or granting of access to personal data, or their publication or disclosure to a third party.
Anonymization denotes the procedure whereby personal data are modified so that no conclusions can be drawn about the natural person to whom they pertain. Unlike pseudonymization, anonymization cannot be reversed.
The pseudonymization of personal data describes the procedure for making personal data unrecognizable. This involves replacing data that identify a person (e.g. name, date of birth, place of residence) with a pseudonym (e.g. a code). Someone in possession of the crucial information can thus assign the data to a specific person (in a process called reverse pseudonymization or re-identification).
We process the personal data about you that are necessary in order to fulfil the relevant purposes. More detailed information about the personal data processed can be found under the individual purposes (see Clause 8).
Usually, you share your personal data with us yourself, e.g. by transmitting them to us or when you communicate with us.
In certain instances, we collect data about you ourselves or automatically, e.g. when you use our services, shop with us, browse our websites or use our apps. Such data include, in particular, behavioural and transactional data, online identification data, and online tracking and traffic data (see Clause 8.3). In certain instances, we can also derive the data from existing data, for example by analysing transactional or behavioural data (see Clause 13).
Should the purpose require it, your personal data will also be amalgamated by other companies within the Coop Group (see Clause 8.3 and 13). We may also receive your personal data from a third party. Some examples of such third parties are:
The personal data we receive from third parties may cover the following categories:
We can process your personal data for various purposes. Primarily, we use them in order to provide you with our services.
Usually, we have to process your personal data in order to conclude and perform contracts with you. This is the case when, for instance, you place a customer order in one of our online shops or at one of our stores, register for a customer account, use one of our apps, or avail yourself of any of our other online or offline offerings. In particular, contract performance may involve processing the following categories of personal data:
For the purpose of contract performance, we can undertake all processing necessary in order to initiate and conclude the contract, perform the contract or enforce the contract. We can, for instance, obtain a credit rating for you before concluding a contract (including data on your ability to pay and your payment behaviour), in order to decide whether and in what form we will enter into a contract with you. For products that are subject to an age restriction, we can require proof of your date of birth in the form of a copy of your passport or ID document, or automatically check your age based on your passport or ID number. In order to deliver an ordered product to you, we may have to share your data with third-party providers (e.g. the postal service). Furthermore, we share data with the relevant payment provider in order to process payment. We can also process your data in connection with enquiries from you about the product, remedying defects, handling complaints, reserving products or rating products.
In order to communicate with you and respond to your concerns, we have to process your personal data. This may be the case when you use one of our contact forms, contact us by e-mail, post or telephone or another method, when we contact you, or for customer care. To this end, we process the following data in particular:
We can undertake all processing necessary in order to communicate with you. In particular, we can answer your enquiries or get in touch with you if we have questions. We can also use the communication data for quality assurance and training purposes. In this case, wherever possible the data will only be used in pseudonymized or anonymized form. If we record or listen in to telephone conversations or video calls for quality assurance and training purposes, we will make you specifically aware of this. If you do not want conversations of calls to be recorded, please let us know or terminate your participation. If you merely do not wish images to be recorded, you can switch off your camera. Communication in connection with other purposes such as contract performance (Clause 8.1), marketing (Clause 8.3) or market research (Clause 8.4) may also be recorded. More information can be found under each purpose.
To enable us to make attractive and suitable offers to you and send you interesting information about products, services, events etc., we may process your personal data for marketing purposes. This is the case when, for example, you make a purchase in one of our online shops, place an order in one of our stores, register for a customer account, use one of our apps, take part in a competition, or avail yourself of any of our other online and offline offerings. In particular, we may collect the following data about you for marketing purposes:
Marketing purposes cover all processing that enables us to inform you about our offerings in a suitable manner. We may send you written and electronic information or offers. This includes, for example, the electronic mailing of newsletters, e-mails, push notifications in apps or other electronic notifications as well as the postal mailing of advertising brochures, magazines or other printed material. It also includes digital advertising such as search, display, video or social ads. We may also send you vouchers or invite you to events or competitions. We may also show you recommendations for products or services on our websites and apps or make you aware of abandoned orders.
Furthermore, we may personalize the relevant offers and information based on the data we have available about you so that, as far as possible, you only receive information and offers that are relevant and of interest to you. To this end, we may undertake appropriate analyses and build profiles (see Clause 13). In addition, we measure the effectiveness of our advertising measures and evaluate them.
We may also instruct third-party providers to run advertising measures and advertising campaigns, measure conversions and perform the relevant evaluations (e.g. with the use of third party cookies, see also Clause 18.2, 18.3).
You may unsubscribe at any time from marketing communication received. Each e-mail communication contains a link to unsubscribe. Information on how to prevent marketing cookies (which, for example, result in personalized ads) can be found in the provisions on cookies (Clause 18.2).
We may also process your personal data for purposes other than those mentioned above. These include:
The legal basis for collecting and processing your personal data depends on the respective purpose of the processing in each individual case. The following principles apply:
By way of exception, should we be unable to abide by these principles the data processing may nonetheless be lawful because there is a justification for the processing. Specifically, the following constitute justification:
You can withdraw any consent you have granted at any time. To this end, we have created an opt-out option for certain types of processing. An informal e-mail is also sufficient. The legality of data processing already done remains unaffected by this.
Specifically, the following reasons constitute legitimate interests:
We can pass your personal data on to other companies within the Coop Group. Your personal data are passed on primarily for administrative purposes within the group or in order to process contracts (see Clause 8.1). In these cases, the data are not processed by the company concerned for its own purposes. For this purpose, however, changes to your master data (e.g. change of address) in one place can be handled elsewhere within the Coop Group.
Your personal data can also be passed on in order to carry out marketing activities. Furthermore, your personal data can be collated with the data of other companies of the Coop Group and evaluated (see Clause 13). Other companies of the Coop Group or formats of the Coop Cooperative can use the personal data for their own purposes and make customized offers to you. However, data will only be evaluated and passed on in this manner with your consent, which you can withdraw at any time (for more information about this, see also Clause 13).
Information about the formats and companies of the Coop Group can be found in Clause 3.
We can also pass on your personal data to third parties outside the Coop Group (e.g. to the company entrusted with delivering the goods or the credit institution that processes the payment) if this is necessary for contract execution or in order to make use of the required technical or organizational services. Such third parties are contractually obliged to process your personal data exclusively on our behalf and in accordance with our instructions. Moreover, third parties must take suitable technical and organizational measures to safeguard the security of your personal data. Specifically, service providers in the following areas may be asked to process your personal data in this manner:
Our service providers may also process data on how their services are used, as well as other data involved in the use of their service, in the capacity of independent data controllers and for their own legitimate interests (e.g. for statistical analysis or billing). Service providers provide information about independent data processing in their respective privacy policies.
We may also pass personal data on to authorities in Switzerland and abroad if we are legally obliged to do so, or legally justified in doing so, or if this is necessary to protect our legitimate interests. The authorities process the data they have received from us under their own responsibility.
Wherever possible, we process your personal data in Switzerland or in the European Economic Area (EEA). Your personal data may be transferred to service providers abroad for contract processing (see Clause 10.2). Such transfer may be to anywhere in the world.
Data will be transferred to a third country which does not afford an adequate level of data protection only if the processor has put in place guarantees which the legislator deems fit to safeguard data protection (e.g. EU's standard contractual clauses). No transfer based on standard contractual clauses will take place without a prior risk assessment. If the risk assessment shows that the processor is unable to comply with the standard contractual clauses, we will ensure that additional technical measures are taken to safeguard the integrity and confidentiality of the transferred personal data.
We process special category personal data (see Clause 6.2) only when absolutely necessary in order to provide a service and you have made the relevant data available to us or have consented to their processing. Such processing takes place when, for example, you inform us of health complaints after purchasing a product.
Profiling involves automatically processing people’s purchase and behavioural data and amalgamating the data to form profiles which can reflect your interests and preferences. These profiles form the basis for us to show you products that interest you and are relevant to you. For this purpose, personal data such as person master data (see Clause 8.1), contract data (see Clause 8.1), communication data (see Clause 8.2), behavioural and transactional data, online identification data or online tracking and traffic data (see Clause 8.3) are evaluated, and they are analysed and combined based on recognized mathematical and statistical processes and logic.
We use such evaluations especially in order to be able to inform and advise you about certain services or products in a targeted way. Profiling enables us to continuously improve our offerings and adapt them to individual needs, share information and offers that meet your needs, or provide you with better customer support. Profiling also enables us to ensure that, to the greatest extent possible, you only receive information and offers that are actually relevant to you. For example, you receive discounts, see individual content in newsletters, apps and online shops (e.g. the products and discounts are shown in a sequence tailored to you) and only see advertising that is of interest to you.
We undertake group-wide profiling, as part of which we can also merge personal data from various sources (e.g. from different services of the Coop Group). We only undertake such profiling if you have consented to it. You consent when you create a customer account with one of our online shops and accept the relevant GTC. This profiling enables us to respond even better to your needs. Where applicable, you can object to the use of the relevant evaluations for marketing purposes within the Coop Group in the account of the respective online shop. In some online shops you can place orders without opening a customer account. If you do not create a customer account, no profiling takes place.
Some areas (e.g. online shops) can also undertake their own profiling based on data from that area (without supplementing additional data). If you do not want such profiling to take place, you can refrain from creating a customer account or, where applicable, can opt out in the relevant customer account.
Automated decision-making is when decisions, that have legal consequences for the person concerned or otherwise significantly affect that person, are made in a completely automated manner, i.e. without human influence.
We do not normally use automated decision-making. If we do, you will be separately informed.
We only store personal data for as long as necessary to fulfil the individual purposes for which the data were collected, or if we are legally obliged to retain them for longer.
In particular, we have to keep business communication, concluded contracts and accounting records for up to 10 years (see esp. Art. 958f of the Swiss Code of Obligations [CO]). Provided that we no longer require your data to perform the services, those data will be blocked. We will then only use the data for the purposes of financial accounting and taxes.
We keep your personal data secure and take suitable technical and organizational measures to protect your personal data against loss, access, misuse, or modification. Our contractual partners and employees who have access to your personal data are obliged to comply with data protection provisions.
For security reasons and to protect transmissions of confidential information (e.g. your orders or queries), our website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line in the browser changes from "http://" to "https://" and by the lock icon on the address line. All the main payment methods (e.g. Visa/Mastercard, etc.) use only encrypted SSL or TLS connections for payments.
Because we cannot guarantee full data security for communication by e-mail, we recommend sending confidential information through a secure means of transmission.
The information below explains how we process personal and other data in connection with our websites or apps. In particular, processing relies on cookies or similar technologies. The provisions below apply both to our websites and to apps, even if only one website is mentioned.
What information do we receive and how do we use it?
When you visit our website, certain data are automatically stored on our servers or on servers of services and products which we have sourced and/or installed. This is done for the purposes of system administration, safeguarding, tracking, or statistical analyses. The data involved are:
How can you prevent data being gathered?
The data are only stored for as long as is necessary to fulfil the purpose of their collection. Accordingly, the data are usually deleted after each session. Log files have to be stored in order for the website to function. Therefore, you do not have the option to object to these.
How do cookies work and what are they for?
Cookies are text files that are stored in your device's operating system via your browser whenever you visit a website. Cookies contain a unique identifier (ID) that enables us to distinguish individual visitors from others. However, you will not usually be identified. Cookies do not cause any harm on your device and do not contain any viruses. They are also used to significantly improve user interaction, so that certain settings remain stored for you, and they are essential for some technical features (e.g. session or shopping basket management).
What types of cookies are there?
Most of the cookies we use are what are known as "session cookies", which are automatically deleted after the end of your visit.
Other cookies remain on your system until you delete them (usually, however, they are deleted after a maximum of 2 years). The purpose of these cookies is to store your preferences (e.g. language and location settings), quickly provide and attractively display the website content (e.g. by using fonts and content delivery networks), analyse the use of that website for statistical evaluation and for continuous improvements, and for marketing purposes (usually by means of third-party cookies, see more below).
We can also use similar technologies such as pixel tags, fingerprint or other technologies to store data on the browser. Pixel tags enable certain information (e.g. whether and when a website was visited) to be transmitted to the server operator, in the form of small and normally invisible images or program codes that are loaded by a server. Fingerprints are used to collect information about the configuration of your system or browser when you visit a website, to distinguish your system from other devices. Most browsers also support additional technologies (such as web storage), which we can also use.
Which cookies or similar technologies do we use?
We can use the following types of cookies or similar technologies:
Do we use third-party cookies?
We can also use third-party cookies. In this case, the cookies will not be stored by us when you visit the website, but by the third-party provider. Such providers can also be based outside the European Economic Area (EEA), in which case data protection will be safeguarded by adequate measures (see Clause 11).
Some examples of third-party cookies are analysis services, tracking and retargeting measures, etc. These enable us to target you with ads on our websites or on third-party websites and measure the effectiveness of those adverts. The third-party providers can record your use of our websites and, if applicable, combine data collected on other websites. Said provider can also use these data for its own purposes, e.g. for personalized advertising on its own websites or other websites for which it supplies ads. If the provider can identify you (e.g. because you have a customer account), it can assign the user data to you. The associated processing is undertaken in accordance with the third-party provider's data privacy provisions. The main third-party providers are Google and Facebook. The main tools we use are described below (see Clause 18.3).
How can you prevent data being gathered via cookies?
Instructions for the main browsers are below:
In the case of cookies that are used to measure success and reach or for advertising, for many services there is usually a general opt-out option, provided by the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
Which other online advertising methods do we use?
As well as marketing and cookies of third-party providers, we use other techniques to manage online advertising on other websites and thereby prevent scattering losses. We can, for example, pass our users' e-mail addresses on to third-party companies in pseudonymized form (called 'hashing' – see Clause 6.6 for a definition). By comparing the database, the advertising company (usually a social media provider) identifies the contact data that are already in its own database, and can show you ads tailored to your interests (see, for example, the cookies used, Clause 18.3). Third-party companies do not receive any personal e-mail addresses of persons who are not already known. You can prevent personalized advertising being shown to you by altering your cookie settings (see above).
Can we include third-party offerings on our website?
We can incorporate other third-party offerings on our websites, particularly from social media providers. These offerings are disabled by default. Once you enable them (e.g. by clicking a button), the providers concerned can determine that you are on our website. If you have an account with that social media provider, it can assign this information to you and thus track your use of online offerings. Social media providers process these data under their own responsibility.
We can use tracking tools on our websites and apps with the aid of which we analyse use of our online offerings and can target marketing measures at visitors. The main tracking tools we use are listed and explained below.
a. Google Analytics
How does Google Analytics work?
Why do we use Google Analytics?
Google analyses the data collected on our behalf, so that we can build a picture of visits and user behaviour on our websites. We can then improve our services, the website content and its layout.
Which additional functions do we use?
How can you prevent your data being collected via Google Analytics?
You can prevent cookies being stored by changing the appropriate settings in your browser (see Clause 18.2). You can disable Google Analytics by downloading and installing the Google browser add-on.
b. Google Ads conversion tracking or similar services of other providers
Google Ads conversion tracking or similar services of other providers involve a cookie being stored on your device for the purpose of tracking and performance measurement whenever you access our website via a corresponding advertisement. It does not collect any personally identifiable information about users. Our legitimate interest in measuring website performance serves as the legal basis. The cookies are automatically deleted after 30 days.
Right to object
If you do not wish to participate in the tracking programme, you can block the relevant cookies in your browser settings.
c. Google Customer Match
To enable us to display personalized ads using Google's services, we can share lists of our customers' encrypted and pseudonymized personal data (e.g. e-mail addresses) with Google (see also Clause 8.3). These data are then collated so that advertising can be displayed via the Google network to the persons that Google can identify. Google does not gain access through this process to any new personal data that can be used for its own purposes.
If you have a Google account, you can disable personalized ads here. Without a Google account, you can turn off personalized ads by disabling cookies (see Clause 18.2).
d. Meta Pixel and Custom Audience
How do Meta Pixel and Custom Audience work?
To measure conversions, our websites use the Facebook Pixel (Meta Platforms Ireland Ltd., Harbour 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland). Meta Pixel enables us to track your behaviour after you have been redirected to our website by clicking on a Facebook ad. The data collected are anonymous to us as the operator of this website, so no conclusions can be drawn as to your identity.
Why do we use Meta Pixel?
We use Meta Pixel to evaluate the effectiveness of Facebook ads for statistical and market research purposes and to optimize future advertising measures.
We also use Custom Audience so that our Facebook ads are only shown to people who are already interested in our offerings or have similar interests. To this end we can send e-mail addresses to Facebook in encrypted and pseudonymized form (called 'hashing') so that the data can be collated with the database and identical users ascertained (see also Clause 8.3 above). Facebook does not gain access through this process to any new e-mail addresses that can be used for its own purposes.
If you do not want to be shown personalized ads by Facebook, you can alter your settings accordingly.
Who is responsible for the data processing?
We and Facebook have shared responsibility for the sharing of data that Facebook collects or receives via Meta Pixel or similar functions, for the display of advertising information tailored to visitors, for improvements to ad delivery, and for the personalization of functions and content. Therefore, you can also address requests for information or other data privacy matters directly to Facebook.
We are not responsible for all other data processing. Your data can be processed by Facebook for this purpose. In particular, they can be linked to your user profile and Facebook can use the data collected for its own advertising purposes.
e. Facebook SDK
Where and for what purpose do we use Facebook SDK?
Some of our apps use the Facebook Software Development Kit (Facebook SDK). The provider is Meta Platforms Ireland Ltd., Harbour 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland. Facebook SDK is used to measure Facebook ads which we run on Facebook. Facebook SDK acts as an interface for the transmission of information in order to display advertising on end devices. To identify our apps, we transmit an ID to Facebook via this interface. No other user data are transmitted to Facebook via the SDK. However, Facebook SDK may itself collate various data and send them to Facebook.
Information about the data that Facebook SDK logs is available on Facebook's website under "What data does Facebook collect via the SDK?".
How can you restrict transmission to Facebook?
You can restrict the transmission of data by the Facebook SDK by activating the "Restrict Facebook SDK" option in the app. With the restriction only the following data are transmitted:
f. App access rights
To provide the services in our apps, we may need the access rights listed below, which enable us to access certain functions of your device:
We can maintain pages and other online presences on social networks and other platforms operated by third parties ("fan pages", "channels", "profiles" etc.), where we collect the data described in Clause 7 and below. We obtain these data from you and the platforms when you contact us via one of our online presences (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms analyse your use of our online presences and link these data with other known data which the platforms have about you (e.g. about your behaviour and your preferences). The platforms also process these data for their own purposes, under their own responsibility, in particular for marketing and market research purposes (e.g. in order to personalize advertising) and in order to manage their platforms (e.g. which content they show you).
We process these data for the purposes described in Clause 8, in particular for communication, for marketing purposes (including advertising on these platforms, see also Clause 18.2) and for market research. We can disseminate content (e.g. in our advertising on the platform, or elsewhere) that you publish yourself (e.g. comments on a post). We or the operators of the platforms can also delete or restrict content by or about you in accordance with the usage guidelines (e.g. inappropriate comments).
Weitere Angaben zu den Bearbeitungen der Plattform-Betreiber entnehmen Sie bitte den Datenschutzhinweisen der jeweiligen Plattform. Dort erfahren Sie auch, in welchen Ländern diese ihre Daten bearbeiten, welche Auskunfts-, Lösch- und weiteren Betroffenenrechte Sie haben und wie Sie diese wahrnehmen oder weitere Informationen erhalten können.
Version 1.0 / December 2022